Email or username:

Password:

Forgot your password?
Ryan Castellucci :nonbinary_flag:

Your SSH honeypot fakes a Linux system and logs the threat actor's commands.

My SSH honeypot hijacks the threat actor's terminal to play the music video of Rick Astley's 1987 pop hit "Never Gonna Give You Up" while ignoring Ctrl-C.

We are not the same.

57 comments
Ryan Castellucci :nonbinary_flag:

The CPU usage of this thing is absurd. Doesn't help that my files are encoded with "\n" newlines, but I need to use "\r\n" for an SSH pty for whatever reason.

Ryan Castellucci :nonbinary_flag:

Also wondering if there's any way I can precompress the data...

Ryan Castellucci :nonbinary_flag:

Oh, I didn't compile with --release. That'll do it. CPU usage reduced by 80% πŸ˜†

Joacim Jacobsson

@ryanc where can I get a container of this for arm please?

Ryan Castellucci :nonbinary_flag:

@jjacobsson I got it working last night, shitposted about it and went to bed.

Will post the code in the next couple of weeks.

I don't use container stuff, and it's Rust so you can just compile it to a single binary anyway.

Joacim Jacobsson

@ryanc _nice_

Having exactly 0 experience with running a honeypot so I did some googling and realized that is more complicated than I initially thought :D

But I need to see this.

Ryan Castellucci :nonbinary_flag:

@jjacobsson the video itself viewable via

nc rya.nc 1987

No sound, but the whole thing is subtitled.

Ryan Castellucci :nonbinary_flag:

@jjacobsson It's pretty amazing how good it looks when you spam the terminal with unicode and 24 bit color escape sequences

PorkrollPosadist

@ryanc If you want to spend ABSOLUTELY way too much effort on this, there IS a way to compress this. You can use console escape codes to update only the parts of the screen which are changing. This is a lost art, but some implementations survive (Emacs notably does this).

Rich Felker

@porkroll @ryanc That's curses. That's the whole point of curses. It's diff for charcell arrays.

datenwolf

@ryanc @dalias @porkroll

Do some motion estimation. In rectangular regions that coherently move vertically you could set a scroll region and just scroll that area.

Umberto Ecco

@dalias @porkroll @ryanc curses uses escape codes, but you don’t have to use curses to use escape codes. You can emit them yourself if you like

Ryan Castellucci :nonbinary_flag:

@nyankat @dalias @porkroll I'm already doing stuff like detecting where the colors are almost the same and not updating them for the next character. I have my own termcell serialization format built already to facilitate this.

Rich Felker

@ryanc You should be able to set the newline conversion mode on the pty with stty/tcsetattr.

Andrew Bartlett

@ryanc Using only terminal beeps, right?

Sounds deliciously painful! ;-)

Antranig Vartanian :freebsd:

@ryanc actually, SSH honeypots running @illuria 's LureOS are just OpenSSH as is :P

But I’ll add NGGYU into .profile, just to mess with the attackers :D

</shame-less marketing>

Morten Linderud

@ryanc

This is funny. I wrote a SSH server that writes out the script to Hackers while ignoring Ctrl-C.

Morten Linderud

@ryanc @Dtl @viq

I tried getting ffmpeg to output Hackers through caca but it wasn't super easy as you need to render each frame from the nurses driver.

Ryan Castellucci :nonbinary_flag:

@Foxboron @Dtl @viq I'm extracting individual frames as low quality jpg (quality really doesn't matter here, lol) and then converting individual frames to ANSI.

infosec.exchange/@ryanc/113039

Morten Linderud

@ryanc @Dtl @viq

Ahh, that is great. If you do this with Hackers please pass me a copy :)

Mathias PanzenbΓΆck

@ryanc @Foxboron @Dtl @viq Very cool! Did something similar myself a few months ago. (Also in Rust.) I always render 2 pixels per character and only support images, including animated GIFs. You seem to do more than one pixel per character, but quatize them to two colors?

Jerry Mouse

@ryanc@infosec.exchange Nice, please share that script... Would love to setup a hp-account for that

nex

@ryanc@infosec.exchange SSH honeypot that hijacks the remote terminal to play the portal 1 ending, with music

Pete

@ryanc I started taking all the wp/admin login attempts and sending back sql injection attacks. I unleashed such a shit show that my hosting service dropped me.

Alison Meeks

@philpetree I send them to the cybercrimes department at the FBI. 😁@ryanc

Bee O'Problem

@ryanc I now lowkey wish RickrollMEMZ was a thing

Hijack the machine to display the video (and crash the system once the video is over) and also trash the BIOS to show the Rick Astley on boot.

SpaceLifeForm

@ryanc

Bonus points if you can make them hear the music thru the PC Speaker.

unexpectedteapot

@ryanc so since no one asked, I'll volunteer: do you have this software hosted on a gitsomething somewhere?

Ryan Castellucci :nonbinary_flag:

@unexpectedteapot I'll post it eventually, but probably not the animation file (it's 50MB)

I basically mashed this together with russh:

github.com/ryancdotorg/ansi-pl

You can see the animation via

nc rya.nc 1987

vxo

@ryanc that reminds me to spin up a view only, publicly accessible vnc slideshow of pictures of my cat
@foone

DELETED

@ryanc that's crazy. but have you seen the honeypots that start sending endless random data when you run something like cat /proc/cpuinfo?

maybe you should loop the video :P

Bram Diederik

@ryanc neat.
I bet making it a docker isnt that hard.

Mx Autumn :blobcatpumpkin:

@ryanc this is the sort of content I follow for :kermit:

schrotthaufen

@ryanc @alech I used to put rickrollrc into /root/.bashrc πŸ˜‡

maswan

@ryanc I suspect most of our nyancat.accum.se telnet users are in fact honeypotted, but it is a decent number of Mbit/s on average.

Only Ohm

@ryanc Meanwhile, I can't even get audio to tunnel over a ssh connection when the ssh server is a docker container hosted on the same machine where the ssh client is running. Sigh.

Noah Cook

@ryanc This gives me an idea for a side-channel attack: hang around Columbia, MD the weekend after a threat actor incident, and see how many spooks from the Fort nearby are whistling that song...

Go Up